On Fri, Jan 8, 2016 at 6:35 PM, Marko CupaÄ <marko.cu...@mimar.rs> wrote:
> On Fri, 8 Jan 2016 11:13:08 -0500
> sven falempin <sven.falem...@gmail.com> wrote:
>
> > You will need to forward the all rule set i think, maybe the set prio
> > 0 is erased by a further rules, try to pass in quick those p2p
> > traffic before maybe ?
>
> I had the luxury of ditching the complete ruleset for very simple one:
>
> ---pf.conf-start---
> # RUNTIME OPTIONS
> set skip on lo0
>
> # INTERFACES
> if_int = "re2"
> if_ext = "pppoe0"
>
> # HOSTS & NETWORKS
> localnet = "{ 192.168.33.0/24 }"
>
> # PORTS
> both_p2p = "{ 1000:65535 }"
>
> # NAT
> match in all scrub ( no-df random-id max-mss 1440 )
> match out on $if_ext inet from $localnet to any nat-to ($if_ext:0)
>
> # RULES
> block drop log all
> pass inet from ($if_ext:0) to any
> pass inet from $localnet to any
> pass inet proto tcp from ($if_ext:0) to any port $both_p2p \
> set ( prio 0 )
> pass inet proto tcp from $localnet to any port $both_p2p \
> set ( prio 0 )
> pass inet proto udp from ($if_ext:0) to any port $both_p2p \
> set ( prio 0 )
> pass inet proto udp from $localnet to any port $both_p2p \
> set ( prio 0 )
> ---pf.conf-end---
>
> Actual ruleset (as seen by pfctl -sr output) is as follows:
>
> ---pfctl-sr-start---
> match in all scrub (no-df random-id max-mss 1440)
> match out on pppoe0 inet from 192.168.33.0/24 to any nat-to (pppoe0:0)
> block drop log all
> pass inet from (pppoe0:0) to any flags S/SA
> pass inet from 192.168.33.0/24 to any flags S/SA
> pass inet proto tcp from (pppoe0:0) to any port 1000:65535 \
> flags S/SA set ( prio 0 )
> pass inet proto tcp from 192.168.33.0/24 to any port 1000:65535 \
> flags S/SA set ( prio 0 )
> pass inet proto udp from (pppoe0:0) to any port 1000:65535 \
> set ( prio 0 )
> pass inet proto udp from 192.168.33.0/24 to any port 1000:65535 \
> set ( prio 0 )
> ---pfctl-sr-end---
>
> Situation is still the same: torrents being downloaded at full speed
> (~8Mbit/s), simultaneous download of install59.fs from ftp.openbsd.org
> averages at ~6Kbit/s.
>
> Can anyone reproduce this?
> --
> Before enlightenment - chop wood, draw water.
> After enlightenment - chop wood, draw water.
>
> Marko CupaÄ
> https://www.mimar.rs/
>
First of all, you cannot stop p2p outside world to flood you in, whatever
you do in udp.
If the software say "hey world DDOS me on my IP" , the world will ddos you
and packet will load the other
side of your pppoe.
So dont start ranting for the 50 hours, it s frustrating but there is hope,
but you may have to rethink your position
about bandwith shapping magic.
What is was proposing is you to quick out the rules first , something LIKE
this,
but it wont work dude, afaik, and it will be the same whatever the
algorithm.
---pf.conf-start---
# RUNTIME OPTIONS
set skip on lo0
# INTERFACES
if_int = "re2"
if_ext = "pppoe0"
# HOSTS & NETWORKS
localnet = "{ 192.168.33.0/24 }"
# PORTS
both_p2p = "{ 1000:65535 }"
match in all scrub ( no-df random-id max-mss 1440 )
# NAT
pass quick out on $if_ext inet from ($if_int:network) to any port
1000:65535 set prio 0 nat-to ($if_ext:0)
match out on $if_ext inet from $localnet to any nat-to ($if_ext:0)
# RULES
block drop log all
pass inet from ($if_ext:0) to any
pass inet from $localnet to any
pass inet proto tcp from ($if_ext:0) to any port $both_p2p \
set ( prio 0 )
pass inet proto tcp from $localnet to any port $both_p2p \
set ( prio 0 )
pass inet proto udp from ($if_ext:0) to any port $both_p2p \
set ( prio 0 )
pass inet proto udp from $localnet to any port $both_p2p \
set ( prio 0 )
---pf.conf-end---
--
() ascii ribbon campaign - against html e-mail
/\
